Vulnerabilities / Threats
11/20/2009
11:43 AM
50%
50%

Tech Insight: 3 Factors To Assess Before Doing Your Own Penetration Testing

What you need to know about bringing penetration testing in-house

With the veil of mystique and enterprise concerns surrounding penetration testing gradually being lifted, enterprises are realizing how a quality, comprehensive pen test can supplement their security efforts and find holes before attackers do -- with the added benefit of meeting PCI DSS requirement 11.3. Now many enterprises are starting to consider whether they should perform pen testing in-house themselves.

The average IT professional views pen testing as a black art. It's an activity often seen as dangerous and counterproductive to an operational environment where testing could impact business and cause downtime, but it's a practice gaining popularity thanks to the annual pen-testing requirement by the PCI Data Security Standards (DSS) and publicity surrounding the recent purchase of the Metasploit Project by Rapid7.

Deciding whether to pen test in-house or outsource the job is a decision not to be taken lightly considering it can cost anywhere from $5,000 to $50,000 or more, depending on the size of the target, scope, and reputation of the testing vendor. A pen-testing product, meanwhile, costs anywhere from a few hundred dollars for a narrowly focused tool to $30,000.

While saving tens of thousands of dollars by purchasing your own pen-test tool sounds good at first, with internalizing the work has its own costs. The investment in human resources, training, and software must be weighed against the potential savings from shelling out big bucks for a third party pen test. Let's examine each:

  • Human resources: The first and most obvious cost to the bottom line is HR. Are there existing personnel within the organization who have the skills and experience to perform a comprehensive pen test? If so, then the next decision is whether their current job duties can coexist with their new pen-test duties. Answering those questions can result in the need to hire new staff to fill in as needed, or to redistribute personnel to make sure all areas are covered appropriately.

  • Training: Training the newly designated pen tester -- or, if you're lucky, a whole pen-testing team -- is the next item on the cost sheet. Time needs to be set aside to attend training either online or at a conference. Online courses, like those from Offensive Security, run as little as $500 to several thousand dollars, while a multiday pen-testing course, like SEC 560 Network Penetration Testing and Ethical Hacking from SANS, is $4,300 for six days.

    Don't forget about retention issues that can accompany adding increased responsibilities on current employees and training both new and current employees. Competent pen-testing skills are very valuable right now, and you'll need to make sure your pen testers' salaries are reasonably competitive with how much they could make elsewhere.

    It's not uncommon for employers to draw up a contract that says the employee must repay part or all of the training expenses if he chooses to leave for another employer within a specific amount of time.

  • Software: Pen-testing software runs the gamut in terms of cost. Exceptional free tools, like the Metasploit Framework and w3af, are available, but they entail a steeper learning curve compared to a polished commercial solution like Core IMPACT. The differences can be measured in the tens of thousands of dollars and hours versus days to become familiar and reasonably comfortable using the different tools. Determining which software to use will depend on budget, organization size, familiarity of the tools by the pen tester, and technologies used by the target.

    Once you've answered the question of whether performing in-house pen testing is cost-effective, you still need to answer the ever important question: Can your team perform a comprehensive test that is objective and doesn't suffer from a myopia that often occurs when the tester is too close to the target organization?

    The upside of performing pen testing with an internal team is they are familiar with the organization, the network, where the critical assets are, and the people. They may end up finding chinks in the company's armor quicker than a third-party pen tester because they have the familiarity and will know where to look first.

    But the trade-off is an internal pen-testing team may be too familiar and comfortable with the target environment and could overlook common issues that someone from the outside may not. Personal relationships may even impact whether they target specific users for social engineering exercises, like a simulated phishing attack.

    Making the decision to staff, train, and maintain an internal pen-testing team is a big one that can have a serious impact on the security of your company -- more than just checking off "YES" on a PCI Self Assessment Questionnaire. It's a good idea to hire a third-party pen-testing firm to follow up on the initial pen tests by the internal team to make sure they're doing a solid job -- and every couple of years thereafter to ensure results are consistent.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Flash Poll
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-9710
    Published: 2015-05-27
    The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

    CVE-2014-9715
    Published: 2015-05-27
    include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

    CVE-2015-2666
    Published: 2015-05-27
    Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

    CVE-2015-2830
    Published: 2015-05-27
    arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

    CVE-2015-2922
    Published: 2015-05-27
    The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.

    Dark Reading Radio
    Archived Dark Reading Radio
    After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?